A remote attacker can inject into Prometheus arbitrary PHP code that
executes under the privileges of the underlying web server. The crux
of the problem lies in the following snippet of code extracted from
the top of prometheus-library/all.lib:

An attacker could force the application to load a tainted version of
autoload.lib and prometheus-lib.path that contains arbitrary PHP code
from a remote server by setting PHP_AUTO_LOAD_LIB to "0" and
PROMETHEUS_LIBRARY_BASE to the address of the remote server. The
following scripts can be targeted in this attack because all.lib is
included without any filtering:

* index.php
* install.php
* test_*.php

The following is a sample attack URL that would cause "target.server"
to load autoload.lib and prometheus-lib.path from "attackers.server".

Remote exploitation allows an attacker to execute arbitrary commands
and code under the privileges of the web server. This also opens the
door to privilege escalation attacks.

IV. DETECTION

iDEFENSE has verified that Prometheus 6.0 is vulnerable. Versions
3.0-beta and 4.0-beta are also reportedly vulnerable. Other earlier
versions may be vulnerable as well. To determine if a specific
implementation is vulnerable, experiment with the above-described
attack.

V. WORKAROUND

* First, locate the files that make dangerous calls to include().
The following sample command line accomplishes this:

iDEFENSE is a global security intelligence company that proactively
monitors sources throughout the world — from technical
vulnerabilities and hacker profiling to the global spread of viruses
and other malicious code. Our security intelligence services provide
decision-makers, frontline security professionals and network
administrators with timely access to actionable intelligence
and decision support on cyber-related threats. For more information,
visit http://www.idefense.com.